determined - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Microsoft kills Windows zero-day flaw in November 2016 Patch Tuesday

The November 2016 Patch Tuesday includes a patch for a Windows zero-day reportedly being exploited by Russian hackers, as well as bulletins experts think may be underrated by Microsoft.

Microsoft released its November 2016 Patch Tuesday fixes today, including a fix for a Windows zero-day vulnerability disclosed recently.

Of the 14 total bulletins six were rated as critical by Microsoft, but one rated as important was for a Windows kernel flaw that is actively being exploited. MS16-135 includes the fix for the escalation of privilege exploit disclosed last week by Google. Microsoft admitted this Windows kernel vulnerability was being used by the advanced persistent threat group behind the DNC hack. Microsoft came under fire for downplaying the severity of the Windows zero-day and even in the Patch Tuesday listings, Microsoft gave it a priority of "important" instead of critical.

Craig Young, security researcher at Tripwire, said this "win32k kernel-mode driver update is highly critical with three vulnerabilities an attacker could use to escape low-privileged execution contexts, such as a browser sandbox."

The standard critical bulletins include MS16-142, MS16-129 and MS16-141 for Internet Explorer, Microsoft Edge and Adobe Flash, respectively. Amol Sarwate, director of vulnerability labs at Qualys Inc., based in Redwood City, Calif., noted these bulletins still should be high priorities for enterprises.

"Three more vulnerabilities that were previously disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and were fixed in MS16-142 and MS16-129, respectively (CVE-2016-7227 for IE, CVE-2016-7199 and CVE-2016-7209 for Edge)," Sarwate wrote in a blog post.

Sarwate also listed MS16-133 -- the Microsoft Office bulletin -- as a top priority for enterprise, despite it not being rated as critical by Microsoft.

"Microsoft Office bulletin MS16-133 contains fixes for 10 vulnerabilities that could allow attackers to take complete control of the system. In addition to these 10 fixes there is an information disclosure as well as a denial-of-service crash which was fixed," Sarwate wrote. "Since office documents are prevalent in typical corporate environment, I think this bulletin should be treated as critical even if it is rated as 'important.'"

MS16-130, MS16-131 and MS16-132 are the remaining critical bulletins in November's Patch Tuesday release and all fix vulnerabilities that could allow for remote code execution by an attacker. MS16-130 patches Windows itself and MS16-131 fixes Microsoft Video Control, exploitation of either issue could allow code execution. And MS16-132 resolves a bug in the Microsoft Graphics Component, which could allow an attacker to "install programs; view, change, or delete data; or create new accounts with full user rights."

Sarwate said Microsoft SQL server administrators should focus on MS16-136, which patches six vulnerabilities in the RDBMS engine, MDS API, SQL Analysis Services and the SQL Server Agent.

"SQL server vulnerabilities are relatively rare and although there is no remote code execution, attackers can gain escalated privileges which could allow them to view, change or delete data and create new accounts," Sarwate wrote.

Young called attention to MS16-137, an important bulletin for authentication on Windows. Microsoft said an attacker could use this flaw to escalate privilege but "would first need to authenticate to the target, domain-joined system using valid user credentials."

Young said this bulletin harkened back to a patch from August (MS16-101)  where "Microsoft revealed that a [man-in-the-middle] attacker could force password change requests to failback from Kerberos to the less secure NTLM authentication scheme."

"Today we are learning that problems with the NTLM password change cache could be abused by an authenticated attacker to gain administrative access to a system," Young told SearchSecurity. "Although NTLM is commonly considered a legacy technology, certain features within Windows still rely on NTLM where Kerberos has not been implemented. Administrators should strongly consider actions to reduce reliance on NTLM by 'Kerberizing' as many clients and applications as possible."

Rounding out the remaining four important bulletins in this month's Patch Tuesday are three escalation of privilege issues (MS16-134, MS16-138 and MS16-139) in the Common Log File System Driver, Microsoft Virtual Hard Disk Driver and Windows Kernel, respectively, and a security bypass patch (MS16-140) for the Windows Boot Manager.

Next Steps

Catch up on the October 2016 Patch Tuesday news.

Learn more about Google coming under fire due to handling of a Windows zero day disclosure.

Find out if the monthly Windows rollup simplifies patching or takes away control.

Dig Deeper on Microsoft Patch Tuesday and patch management